authorized Admin Account Takeover in instantsoft/icms2


Reported on

Aug 9th 2023


The [icms2] contains a flaw in its admin account management functionality, specifically in the process of changing and resetting passwords for administrators. Through careful analysis and testing, it was observed that an authenticated administrator has the capability to change the password of any other administrator's account, effectively allowing unauthorized access and takeover.

Proof of Concept

I performed a test using admin demo user to change other admin user nickname as i shown in my video poc whic you can find it here:


Exploiting this vulnerability enables an authenticated attacker to misuse their legitimate access and gain unauthorized control over other administrator accounts.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago
instantsoft/icms2 maintainer modified the Severity from Medium (6.7) to Medium (4.7) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
instantsoft/icms2 maintainer validated this vulnerability a month ago
10Xdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
instantsoft/icms2 maintainer marked this as fixed in 2.16.1-git with commit 78ff8c a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 31st 2023
instantsoft/icms2 maintainer gave praise a month ago
Thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
a month ago


thank you so much

instantsoft/icms2 maintainer published this vulnerability 22 days ago
to join this conversation